CJEU preliminary ruling opens the door for consumer protection associations to hold big tech account

By Romina Ruszin

Photo by Maxim Hopman on Unsplash

On 28 April 2022, the Court of Justice of the European Union ruled that the German Federal Union of Consumer Organisations and Associations may seek an injunction against Meta Platforms Ireland in a German court. The judgment, which establishes that consumer protection associations may initiate action against big tech companies, constitutes a pivotal win in the fight against tech giants’ infringements on data protection rules.

The Facts

The issue at hand emanated from third-party games made available by Meta Platforms Ireland (hereinafter ‘Meta’) on its daughter company Facebook's App Center. When users consult the App Center for some of these games, they are informed that using the application allows the gaming company to obtain their personal data. The collected and published information, in some instances, included not only users’ (hereinafter ‘data subjects’) scores, but their photos and Facebook status as well. Therefore, data subjects’ playing of the game was essentially synonymous with their permission to publish their data. The user was thus considered to have accepted the general terms and conditions of the game and its data protection policy.

The German Federal Union of Consumer Organisations and Associations (hereinafter ‘the Federal Union’) believed that the App Center failed to obtain valid consent from data subjects under Articles 13(1)(c) and Articles 13(1)(e) of the General Data Protection Regulation (hereinafter ‘GDPR’), which oblige controllers to informs users of the purpose of collecting data and the personal data gathered respectively. It further considered the fact that games may publish the personal information as a general condition unduly disadvantaged data subjects. Therefore, the Federal Union initiated action for an injunction against Meta in the Berlin Regional Court. It did so without explicit reference to a specific violation of data subjects’ rights or a mandate from such a person.

The Regional Court of Berlin ruled against Meta. The Higher Regional Court later dismissed the tech giant’s appeal. Meta then went before the German Federal Court of Justice because of the Higher Regional Court’s dismissal. Although the latter Court considered that the action initiated by the Federal Union is well-founded, it had doubts about its admissibility. It had therefore requested a reference for a preliminary ruling from the CJEU on whether, subsequent to the GDPR’s entry into force, a consumer protection association can bring proceedings in a civil court against violations of that Regulation, independently of specific infringements of rights of individual data subjects and without being mandated to do so by those subjects under Article 80(2).

The Court’s Findings and Decision

The CJEU found that Article 80(2) of the GDPR does not preclude national legislation that allows consumer protection associations to bring legal proceedings against the person allegedly responsible for an infringement of the laws protecting personal data. There need not be a mandate conferred on the representative body and there need not be a specific infringement of a data subject’s GDPR-derived right. The Court established that the initiation of such representative action is possible where infringements concern the prohibition of unfair commercial practices, a breach of a consumer protection law, or the prohibition of the use of invalid general terms and conditions, and where the unlawful data processing affects rights data subjects derive from the GDPR.

First and foremost, the CJEU emphasized that the GDPR aims to harmonize national legislation on the protection of personal data. Nonetheless, the Court pointed out that Article 80(2) is one of the provisions that leaves Member States a margin of discretion when it comes to its implementation.

It noted that Article 80(1) provides for a non-profit body, organization, or association to bring representative action against the person who violates data subjects’ rights, given that their statutory objectives lie in the public interest and that they are active in the field of personal data protection. The Court reasoned that the Federal Union satisfies these criteria: it is a consumer protection association whose mandate is rooted in the public interest of safeguarding data subjects’ rights and freedoms through the protection of their personal data. This acknowledgment is crucial because it paves the way for the Federal Union to act in accordance with Article 80(2). As such, the lodging of representative action does not require prior identification of the data subject specifically concerned by data processing that is not compliant with the GDPR; designating a category or group of persons affected is sufficient.

Next, the Court asserted that bringing an action does not require a specific infringement of a data subject’s GDPR-derived right. It maintained that it is sufficient to claim that the non-compliant data processing in question is liable to affect rights that already identified or identifiable persons derive from the Regulation, without it being necessary to prove actual harm suffered through the infringement of their right.

Finally, the CJEU affirmed that the GDPR allows Member States to exercise their option to provide for consumer protection associations to be permitted to bring proceedings against infringements of the rights provided by the GDPR to protect consumers and combat unfair commercial practices.

Looking Ahead

The ruling dealt a considerable blow to tech giants by making them more susceptible to litigation over their insufficient attempts to safeguard consumers’ data. Perhaps more important, though, is its resolve to strengthen the rights of data subjects and ensure a higher level of personal data protection. Although national referring courts other than the German Federal Court and other public authorities should only treat the preliminary ruling as authoritative, the CJEU’s interpretation will hopefully serve as another weapon in the European Union’s arsenal in holding big tech accountable.

[1] Raghau Gagneja, ‘Top EU court allows consumer body to challenge Meta over data protection violation’ (Jurist, 29 April 2022) <https://www.jurist.org/news/2022/04/top-eu-court-allows-consumer-body-to-challenge-meta-over-data-protection-violation/> accessed 8 May 2022.

[2] ibid.

[3] Case C-319/20 Meta Platforms Ireland Limited, formerly Facebook Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV [European Court of Justice 28 April 2022], para 34.

[4] ibid.

[5] ibid.

[6] ibid.

[7] ibid.

[8] ibid para 35.

[9] ibid.

[10] ibid para 36.

[11] ibid.

[12] ibid para 37.

[13] ibid para 38.

[14] ibid para 47.

[15] ibid para 84.

[16] ibid para 84.

[17] ibid para 84.

[18] ibid para 57.

[19] ibid para 57, 59.

[20] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L119/1 (General Data Protection Regulation) art 80(1).

[21] Case C-319/20 Meta Platforms Ireland Limited, formerly Facebook Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV [European Court of Justice 28 April 2022], para 65.

[22] ibid para 71.

[23] ibid para 72.

[24] ibid para 79.

[25] Gagneja (n 1).

[26] Case C-319/20 Meta Platforms Ireland Limited, formerly Facebook Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV [European Court of Justice 28 April 2022], para 74.

[27] Catherine Barnard and Steve Peers (ed), European Union Law (3rd edn, OUP 2020) 324.